Your message dated Sat, 07 Oct 2023 12:41:28 +0100 with message-id <84bb5ff8312f749ebe536897993782bf35aa1977.camel@adam-barratt.org.uk> and subject line Closing opu requests for updates included in 11.8 has caused the Debian Bug report #1040865, regarding bullseye-pu: package yajl/2.1.0-3+deb11u2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1040865: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040865 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bullseye-pu: package yajl/2.1.0-3+deb11u2
- From: Tobias Frost <tobi@debian.org>
- Date: Tue, 11 Jul 2023 20:01:20 +0200
- Message-id: <ZK2Y8KwFa31fU6Ud@isildor.loewenhoehle.ip>
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-Cc: yajl@packages.debian.org Control: affects -1 + src:yajl Package: release.debian.org Severity: normal Tags: bookworm User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-Cc: yajl@packages.debian.org Control: affects -1 + src:yajl Previous o-s-p-u upload was #1040137; two additional CVEs have been fixed since then and the fix for CVE-2023-33460 has been found to be incomplete. This upload is part of fixing yajl for every release. So far sid, buster (DLA-3492), stretch and jessie (ELA-892-1) has been targeted. bookworm s-p-u is pending, see #1040863 CVE-2017-16516 When a crafted JSON file is supplied to yajl, the process might crash with a SIGABRT in the yajl_string_decode function in yajl_encode.c. This results potentially in a denial of service. CVE-2022-24795 The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. CVE-2023-33460 There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse function, which potentially cause out-of-memory in server and cause crash. [ Risks ] Required changes are minimal, see debdiff. Package testsuite passes. [ Checklist ] [x *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable For unstable, the fixes are in 2.1.0-5. I have already uploaded to the s-p-u queue.diff -Nru yajl-2.1.0/debian/changelog yajl-2.1.0/debian/changelog --- yajl-2.1.0/debian/changelog 2023-07-02 13:31:39.000000000 +0200 +++ yajl-2.1.0/debian/changelog 2023-07-11 19:55:30.000000000 +0200 @@ -1,3 +1,15 @@ +yajl (2.1.0-3+deb11u2) bullseye; urgency=medium + + [Tobias Frost] + * Non-maintainer upload. + * Cherry pick John's CVE fixes from 2.1.0-4 and 2.1.0-5 + + [John Stamp] + * Patch CVE-2017-16516 and CVE-2022-24795 (Closes: #1040036) + * The patch for CVE-2023-33460 turned out to be incomplete. Fix that. (Closes: #1039984) + + -- Tobias Frost <tobi@debian.org> Tue, 11 Jul 2023 19:55:30 +0200 + yajl (2.1.0-3+deb11u1) bullseye; urgency=medium * Non-maintainer upload. diff -Nru yajl-2.1.0/debian/patches/CVE-2017-16516.patch yajl-2.1.0/debian/patches/CVE-2017-16516.patch --- yajl-2.1.0/debian/patches/CVE-2017-16516.patch 1970-01-01 01:00:00.000000000 +0100 +++ yajl-2.1.0/debian/patches/CVE-2017-16516.patch 2023-07-10 19:32:01.000000000 +0200 @@ -0,0 +1,22 @@ +Description: Fix for CVE-2017-16516 + Potential buffer overread: A JSON file can cause denial of service. +Origin: https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040036 +Bug: https://github.com/lloyd/yajl/issues/248 +--- + src/yajl_encode.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/src/yajl_encode.c ++++ b/src/yajl_encode.c +@@ -139,8 +139,8 @@ + end+=3; + /* check if this is a surrogate */ + if ((codepoint & 0xFC00) == 0xD800) { +- end++; +- if (str[end] == '\\' && str[end + 1] == 'u') { ++ if (end + 2 < len && str[end + 1] == '\\' && str[end + 2] == 'u') { ++ end++; + unsigned int surrogate = 0; + hexToDigit(&surrogate, str + end + 2); + codepoint = diff -Nru yajl-2.1.0/debian/patches/CVE-2022-24795.patch yajl-2.1.0/debian/patches/CVE-2022-24795.patch --- yajl-2.1.0/debian/patches/CVE-2022-24795.patch 1970-01-01 01:00:00.000000000 +0100 +++ yajl-2.1.0/debian/patches/CVE-2022-24795.patch 2023-07-10 19:32:01.000000000 +0200 @@ -0,0 +1,30 @@ +Description: Fix for CVE-2022-24795 + An integer overflow will lead to heap memory corruption with large (~2GB) inputs. +Origin: https://github.com/ppisar/yajl/commit/23cea2d7677e396efed78bbf1bf153961fab6bad +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040036 +Bug: https://github.com/lloyd/yajl/issues/239 +--- + src/yajl_buf.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/src/yajl_buf.c ++++ b/src/yajl_buf.c +@@ -45,7 +45,17 @@ + + need = buf->len; + +- while (want >= (need - buf->used)) need <<= 1; ++ if (((buf->used > want) ? buf->used : want) > (size_t)(buf->used + want)) { ++ /* We cannot allocate more memory than SIZE_MAX. */ ++ abort(); ++ } ++ while (want >= (need - buf->used)) { ++ if (need >= (size_t)((size_t)(-1)<<1)>>1) { ++ /* need would overflow. */ ++ abort(); ++ } ++ need <<= 1; ++ } + + if (need != buf->len) { + buf->data = (unsigned char *) YA_REALLOC(buf->alloc, buf->data, need); diff -Nru yajl-2.1.0/debian/patches/CVE-2023-33460.patch yajl-2.1.0/debian/patches/CVE-2023-33460.patch --- yajl-2.1.0/debian/patches/CVE-2023-33460.patch 2023-07-02 13:30:08.000000000 +0200 +++ yajl-2.1.0/debian/patches/CVE-2023-33460.patch 2023-07-11 19:54:44.000000000 +0200 @@ -1,17 +1,32 @@ -From 23a122eddaa28165a6c219000adcc31ff9a8a698 Mon Sep 17 00:00:00 2001 -From: "zhang.jiujiu" <282627424@qq.com> -Date: Tue, 7 Dec 2021 22:37:02 +0800 -Subject: [PATCH] fix memory leaks - +Description: Fix for CVE-2023-33460a + Memory leak in yajl 2.1.0 with use of yajl_tree_parse function + See https://github.com/lloyd/yajl/issues/250#issuecomment-1628695214 +Origin: https://github.com/openEuler-BaseService/yajl/commit/23a122eddaa28165a6c219000adcc31ff9a8a698 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039984 +Bug: https://github.com/lloyd/yajl/issues/250 --- - src/yajl_tree.c | 3 +++ - 1 file changed, 3 insertions(+) + src/yajl_tree.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) --- a/src/yajl_tree.c +++ b/src/yajl_tree.c -@@ -445,6 +445,9 @@ +@@ -143,7 +143,7 @@ + ctx->stack = stack->next; + + v = stack->value; +- ++ free (stack->key); + free (stack); + + return (v); +@@ -444,7 +444,14 @@ + snprintf(error_buffer, error_buffer_size, "%s", internal_err_str); YA_FREE(&(handle->alloc), internal_err_str); } ++ while(ctx.stack != NULL) { ++ yajl_val v = context_pop(&ctx); ++ yajl_tree_free(v); ++ } yajl_free (handle); + //If the requested memory is not released in time, it will cause memory leakage + if(ctx.root) diff -Nru yajl-2.1.0/debian/patches/series yajl-2.1.0/debian/patches/series --- yajl-2.1.0/debian/patches/series 2023-07-02 13:30:08.000000000 +0200 +++ yajl-2.1.0/debian/patches/series 2023-07-11 19:17:44.000000000 +0200 @@ -1,3 +1,5 @@ dynamically-link-tools.patch multiarch.patch +CVE-2017-16516.patch +CVE-2022-24795.patch CVE-2023-33460.patchAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 1007787-done@bugs.debian.org, 1007950-done@bugs.debian.org, 1013893-done@bugs.debian.org, 1028992-done@bugs.debian.org, 1032299-done@bugs.debian.org, 1034510-done@bugs.debian.org, 1034713-done@bugs.debian.org, 1034714-done@bugs.debian.org, 1034736-done@bugs.debian.org, 1035046-done@bugs.debian.org, 1035059-done@bugs.debian.org, 1035105-done@bugs.debian.org, 1035304-done@bugs.debian.org, 1035311-done@bugs.debian.org, 1035464-done@bugs.debian.org, 1035475-done@bugs.debian.org, 1035522-done@bugs.debian.org, 1035683-done@bugs.debian.org, 1035924-done@bugs.debian.org, 1036043-done@bugs.debian.org, 1036044-done@bugs.debian.org, 1036046-done@bugs.debian.org, 1036182-done@bugs.debian.org, 1036240-done@bugs.debian.org, 1036300-done@bugs.debian.org, 1036314-done@bugs.debian.org, 1036797-done@bugs.debian.org, 1036811-done@bugs.debian.org, 1036976-done@bugs.debian.org, 1037054-done@bugs.debian.org, 1037175-done@bugs.debian.org, 1037182-done@bugs.debian.org, 1037187-done@bugs.debian.org, 1037196-done@bugs.debian.org, 1037214-done@bugs.debian.org, 1037236-done@bugs.debian.org, 1038153-done@bugs.debian.org, 1038451-done@bugs.debian.org, 1038813-done@bugs.debian.org, 1038943-done@bugs.debian.org, 1039020-done@bugs.debian.org, 1039040-done@bugs.debian.org, 1039470-done@bugs.debian.org, 1039708-done@bugs.debian.org, 1039738-done@bugs.debian.org, 1039854-done@bugs.debian.org, 1039860-done@bugs.debian.org, 1039994-done@bugs.debian.org, 1040137-done@bugs.debian.org, 1040668-done@bugs.debian.org, 1040677-done@bugs.debian.org, 1040758-done@bugs.debian.org, 1040865-done@bugs.debian.org, 1040930-done@bugs.debian.org, 1040950-done@bugs.debian.org, 1041397-done@bugs.debian.org, 1041475-done@bugs.debian.org, 1042057-done@bugs.debian.org, 1043270-done@bugs.debian.org, 1049374-done@bugs.debian.org, 1050044-done@bugs.debian.org, 1050119-done@bugs.debian.org, 1050121-done@bugs.debian.org, 1050332-done@bugs.debian.org, 1050333-done@bugs.debian.org, 1050538-done@bugs.debian.org, 1050573-done@bugs.debian.org, 1050638-done@bugs.debian.org, 1051051-done@bugs.debian.org, 1051339-done@bugs.debian.org, 1051508-done@bugs.debian.org, 1051884-done@bugs.debian.org, 1051902-done@bugs.debian.org, 1051937-done@bugs.debian.org, 1052027-done@bugs.debian.org, 1052082-done@bugs.debian.org, 1052150-done@bugs.debian.org, 1052222-done@bugs.debian.org, 1052288-done@bugs.debian.org, 1052363-done@bugs.debian.org, 1052402-done@bugs.debian.org, 1052420-done@bugs.debian.org, 1052552-done@bugs.debian.org, 1052611-done@bugs.debian.org, 1053177-done@bugs.debian.org, 1053220-done@bugs.debian.org, 1053240-done@bugs.debian.org, 1053270-done@bugs.debian.org, 1053271-done@bugs.debian.org, 1053290-done@bugs.debian.org, 1053522-done@bugs.debian.org
- Subject: Closing opu requests for updates included in 11.8
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 07 Oct 2023 12:41:28 +0100
- Message-id: <84bb5ff8312f749ebe536897993782bf35aa1977.camel@adam-barratt.org.uk>
Package: release.debian.org Version: 11.8 Hi, The updates referred to by each of these requests were included in today's 11.8 bullseye point release. Regards, Adam
--- End Message ---